U.S. patent application number 09/865463 was filed with the patent office on 2002-01-31 for compact hardware architecture for secure exchange of information and advanced computing.
Invention is credited to Cordella, Robert H., Kellum, Charles W..
Application Number | 20020013911 09/865463 |
Document ID | / |
Family ID | 46277678 |
Filed Date | 2002-01-31 |
United States Patent
Application |
20020013911 |
Kind Code |
A1 |
Cordella, Robert H. ; et
al. |
January 31, 2002 |
Compact hardware architecture for secure exchange of information
and advanced computing
Abstract
A general purpose modified single board computer (MSBC) device
for operational and performance enhancement of computer systems.
The modification configures the bus interface function of the
(MSBC) such that it can reside on the expansion-bus of a host
computer system and operate as an add-in card to the hosting
system. This device provides the means to employ the resources of a
full computer system, to enhance the operation and performance of
an information system hosting this device. The MSBC permits a
"system in system" architecture thus efficiently enabling advanced
capabilities for existing and future computer and information
systems.
Inventors: |
Cordella, Robert H.;
(Oakton, VA) ; Kellum, Charles W.; (Alexandria,
VA) |
Correspondence
Address: |
DOWELL & DOWELL PC
SUITE 309
1215 JEFFERSON DAVIS HIGHWAY
ARLINGTON
VA
22202
|
Family ID: |
46277678 |
Appl. No.: |
09/865463 |
Filed: |
May 29, 2001 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
09865463 |
May 29, 2001 |
|
|
|
09198411 |
Nov 24, 1998 |
|
|
|
Current U.S.
Class: |
726/11 |
Current CPC
Class: |
G06F 21/567 20130101;
H04L 63/145 20130101; H04L 63/1408 20130101 |
Class at
Publication: |
713/201 |
International
Class: |
G06F 011/30 |
Claims
1. An information-system/computer hardware device for enabling
processing and transceiving of information, exchanged between a
protected host system and an external information source wherein
the information is contained in data sets carried by signals while
preventing any undesirable data from reaching the protected host
system, the information-system/computer hardware device comprising:
a) means for processing and transceiving information signals
including a means for processing the signals containing an initial
data set so as to extract the information from the initial data
sets and to form second data sets containing the information and
thereby screening out undesirable data; b) means for connecting
computer system peripheral devices thereto; c) means for
controlling computer system peripheral devices connected thereto;
d) means for interfacing to an expansion-bus of the host system in
such manner as to operate as a conventional add-in card to the host
system; and e) means for connecting external information sources
thereto and for controlling the flow of signals between such
external information sources and the information system/computer
hardware device;
2. The information system/computer hardware device of claim 1
including means for providing and receiving operational integrity
and performance information to other information system/computer
hardware devices, to thereby permit external functions to monitor
the information-system/compu- ter hardware device operational
performance.
3. The device of claim 1 in which said means for transceiving
includes a means for securely passing the extracted information to
an authorized receiving domain, and a means for maintaining an
optimum signal transceiving rate of the authorized receiving
domain.
4. The device of claim 3 in which said means for processing and
transceiving information signal traffic includes means for
encypherment processing of signals and transceiving of such
signals, relative to the host system.
5. The device of claim 4 in which the means for processing and
transceiving information signals includes a means for processing
and transceiving signals of a video subsystem of the host system to
thereby enhance the video subsystem of the host System.
6. A system including a plurality of information-system/computer
hardware devices of claim 5, interconnected to thereby enhance the
video subsystem of the host system.
7. The device of claim 5 wherein said means for processing and
transceiving, means for connecting computer system peripheral
devices, means for controlling means for interfacing, and means for
connecting external information sources are provided on a computer
add-in card.
8. A system including a plurality of information-system/computer
hardware devices of claim 7, which are interconnected to thereby
enhance functioning of the host system.
9. The system of claim 8 wherein each of the plurality of
information-system/computer hardware devices includes means to
receive and process operational and performance information from
other devices of the plurality.
10. The system of claim 9 wherein at least one of the plurality of
devices includes means to control other devices of the plurality,
based on the operational and performance information received from
the other devices of the plurality.
11. The system of claim 7, wherein said means for processing, means
for connecting, and means for transceiving includes the means to
transceive multiple video and multimedia signals, process these
signals into a composite signal, and transmit the resulting
composite signal, whereby the format of the resulting composite
signal is compatible with multimedia display devices.
12. The system of claim 11, wherein the means for processing, means
for connecting, and means for transceiving is embodied in a single
motherboard device, whereby the system and host system it is
protecting can both reside on said motherboard device.
13. The system of claim 12, wherein the means for transceiving
multiple video signals and multimedia signals, and means for
processing such video signals and multimedia signals is embodied as
a peripheral device to the system, such peripheral device being a
multi-input graphics card.
14. The system of claim 7, wherein the add-in card is a
single-board-computer adapted to operate in an expansion-bus slot
of the host system.
15. The system of claim 7, wherein said means for processing and
transceiving, means for connecting information system peripheral
devices, means for controlling, means for interfacing, and means
for connecting external information sources are embodied as an
application specific integrated circuit device.
16. The system of claim 11, wherein the means for connecting and
means for transceiving are a single-board-computer adapted to
generate in an expansion-bus slot of the host system such that the
system performs a modem function and operates as a communications
subsystem for the host system.
17. The system of claim 11, wherein the means for connecting, means
for processing, and means for transceiving are embodied as a
multiplicity of single-boardcomputers adapted to operate in
expansion-bus slots of the host system, such that the multiplicity
of single-board-computers operate collectively thus enhancing
utility and processing power of the system.
18. The system of claim 15, wherein said means for processing and
transceiving, means for connecting information system peripheral
devices, means for controlling, means for interfacing, and means
for connecting external information sources are embodied as an
embedded micro-controller device.
Description
CROSS REFERENCE TO RELATED APPLICATION
[0001] This application is a continuation-in-part of co-pending
U.S. patent application Ser. No. 09/198.411, Nov. 24 1998, in the
name of the same inventor and entitled PROCESSES AND SYSTEMS FOR
SECURED INFORMATION EXCHANGE USING COMPUTER HARDWARE.
BACKGROUND OF THE INVENTION
[0002] 1. Field of the Invention
[0003] This invention relates to devices and methods to enhance the
operation, function, and performance of information systems hosting
such devices and methods. This invention also relates to methods
and devices for the safe and secure operation of host information
systems which must exchange information with other information
systems and devices, such as in cyberspace and, where such external
systems may be corrupted in some manner, utilizing system
architecture and data signal transformations as opposed to
conventional software based firewalls to receive and convert or
reformat incoming information signals from the external systems and
thereafter extracting and supplying only non corrupted information
signals to the host systems. The invention also provides for
screening of outgoing information signals from the host systems to
prevent unauthorized information exchange and for permitting secure
updating of host systems files with information before updated
files are returned to the host systems. The invention further
provides an intermediate-domain-device (IDD) capability for
security applications, system enhancement capabilities for a
variety of applications. The invention provides (to its host) the
power and resources of a full computer system, in the form of an
add-in card residing on the expansion bus of the host system.
[0004] 2. Description of the Related Art
[0005] The field of information-system security (InfoSec)
technology and practice to date has focused on controlling human
user access to computer system resources, and preventing hostile,
clandestine computer programs, such as computer viruses, from
corrupting a computer system. The advent of the Internet and
personal computers brought new challenges to the InfoSec field,
particularly because in networks, other machines, not human users,
were the entities that primarily accessed a computer system. Old,
pre-network, password usage and similar software authentication
methods only offered a modicum of security control at, "authorized
user" entry points of a network. Intruders could bypass these
methods as they do in today's Internet and tap or hack (i.e. the
term hackers) into the communications segment of a computer network
and launch any form of mischief or disruption that the target
network would allow. This is the core of today's Internet security
problem, wherein intruders can disrupt nearly all forms of Internet
activity, from disabling web sites and compromising message
traffic, to falsifying identity. The conventional InfoSec problems
of unauthorized user access, incorrect operation, and system
malfunction remain, in addition to today's network oriented
security problems.
[0006] Various schemes of varying degrees of complexity and
convolution have been devised to provide needed security. Examples
of two of the latest of such schemes are U.S. Pat. Nos. 5,623,601
to Vu, and 5,632,011 to Landfield, et al. The methods taught are
implemented as software computer programs, which operate with or as
a standard operating system software package. Assumed in the
methods are the correct implementation and operation of these
software packages, and the operating system (i.e. control software)
with which it must operate. Here, "correct operation" also includes
InfoSec correctness which means no compromise to a hosting system
is precipitated by the operation of such software. Proving or
verifying such assertions as software correctness, or software
operational integrity remains a major barrier in InfoSec
technology, as well as in computer science and engineering in
general. Software verification is a formidable undertaking.
Finally, software (i.e. computer programs) is vulnerable to
compromise by other computer programs, which may include viruses.
Software attack and corruption, whether e-mail packages, protocol
modules, operating systems, macro services such as OPEN commands,
etc. is the realm of the system/network intruder (the Hacker). The
ideal InfoSec tool should not be software dependant.
[0007] Today's InfoSec tools such as the above-cited references
implement, in software, a type of gateway function. The term
firewall is often used. A gateway is a computer that connects two
different networks together. A firewall is a gateway with the
additional constraints and properties that all inter-network
traffic must pass through it, whereby all unauthorized (according
to some rule-set or security policy) traffic is prevented from
passage. The firewall must operate correctly and be free from
compromise. To further compound this difficulty, firewalls are
filters. As such they must allow selected external traffic to pass
through to the system or network being protected, especially if
useful information exchange between the systems and networks
separated by the firewall, is to take place. Firewalls have no way
to filter out hostile traffic, without prior knowledge of such
traffic. Also, service packages, such as e-mail, containing
corrupted command macro programs (e.g. macro viruses) are
impervious to firewalls. Possible legitimate bit configurations in
command fields of standard message traffic passing through a
firewall could trigger disruptive events, when entering a protected
system or network. Firewalls, acting as an address translation
proxy for an inside/protected system or network, can protect that
system or network from exposure, to an external system or network,
of its internal and critical address information. Again, one
assumes (usually, without rigorous basis) correctness of the proxy
software function.
[0008] Although firewalls and anti-virus software are steps in the
right direction, more universal protection of information systems
or networks is needed, whereby such protection is easily
verifiable, cost-effective, and does not require "apriori
knowledge" to successfully execute a detection and/or filtering
function, and is software independent.
[0009] Prior art single board computers (SBC) devices are
structured to exercise total control over the computer system in
which they reside. Typically a chassis with a passive backplane
will employ an SBC to act as the system controller (i.e.
motherboard). The SBC arbitrates the use of the system's
expansion-bus (sometimes referred to as the I/O bus) by other
devices connected to the expansion bus. If a conventional
motherboard is used to implement a computer system, that
motherboard arbitrates use of its expansion-bus. Thus a
conventional SBC residing on that (motherboard arbitrated)
expansion bus will cause serious/fatal system conflict, as both the
motherboard and the SBC attempt to control the expansion-bus and
other system functions.
[0010] If single board computers could be modified to operate with
conventional SBC devices and motherboards, powerful, effective
enhancements to current and future information systems can be
achieved. Such enhancements are necessary given the increasing
demand for operational and performance capability facing
information system technology.
SUMMARY OF INVENTION
[0011] The present invention is directed to the use of a computer
hardware device which functions as an inter-domain screen or signal
processor hereafter referred to as the IDS. The IDS is a unique
data flow control architecture and device family, within which two
unique processes are executed. The IDS protects its host system
from compromise from any external connections. The IDS contains an
intermediate-domain-device (IDD), sockets which connect the IDD to
the host system, and sockets which connect the IDD to external
domains. External domains, which are to exchange information with
the host, are prevented, by the IDS from compromising the host. The
intermediate domain (embodied by the IDD) is a special purpose
domain for information exchange. The purpose of the IDS is to
permit maximum information interchange, while preventing external
signals from directly entering a protected domain or host. The term
"host system" is used synonymously with "protected domain". The
external signals may be the carrier of hostile executable code.
Viruses, worms, triggers for trap-door and Trojan horse type
software, and other forms of hostile signals use incoming data
signals to enter a protected (target) information system
environment. That is, the information being exchanged, including
any hostile data, is contained in data sets carried by signals. The
hostile data sets depend on the structural integrity of the
incoming data stream or signal(s) for the necessary maintenance of
its own structure. With the present invention, this structural
integrity is disrupted, while the information carried by the data
stream is preserved in the IDS. The InfoSec processes executed are
isolation of external signals, and derivation of the information
content of such signals and are referenced as a modified-read
process. To achieve this, an A "information-preserving" data
transformation takes place in the IDS on these potentially
corrupted incoming external data signals such as by processing an
incoming signal containing an initial data set in such a manner as
to extract the information in the initial data set, thus creating a
signal having a different data set, and, thereafter, transmitting
the different data sets to the host domain. Such processing
includes converting the type and/or format of signals such as
converting a telephone signal to a TV signal or converting an
analog signal to a digital signal.
[0012] The intermediate domain and the modified-read function which
takes place therein form a protective screen for the internal or
host system or domain, to which they are attached. The
modified-read process does not require prior knowledge of a
particular virus/worm, etc and is a universal eliminator of hostile
executable code.
[0013] The IDS therefore is not a proxy-server or firewall which
are vulnerable to software errors and/or compromise, and to unknown
hostile executable code (i.e. new virus) penetration. The IDS is an
incoming signal buffer and transformer and an outgoing signal
filter. It is a hardware device that is scalable, that provides the
special purpose domain for information data flow control. This
special purpose domain is intermediate between the IDS's host
system, which it is protecting, and external systems.
[0014] It is important to note that generic IDS functions and
architecture enforce the following for the systems/networks it is
protecting:
[0015] a) immunity to penetration;
[0016] b) assurance that all traffic between the protected domain
and the external domain enters the IDS;
[0017] c) no direct connections between the protected domain the
external domain exist; and
[0018] d) only authorized information, as defined by local InfoSec
policy is allowed to exit the IDS.
[0019] The IDS is a multi-function device acting as a firewall, a
guard/filter, a network front-end, and hostile code (e.g. virus)
eliminator. The IDS may also act as a host system file screen which
is adapted to receive file information from the host system, screen
new file information and thereafter update existing files in the
host system.
[0020] The present invention is directed to a method and apparatus
for enabling information to be exchanged between a protected system
and an external information source wherein the information is
contained in data sets which are carried by signals in such a
manner that undesired data is prevented from reaching the protected
system. The invention uses an intermediate domain computer hardware
device which is connected between the external data source and the
protected system so as to receive an initial data set including the
information which may contain undesirable data transmitted from the
external source. In the intermediate domain hardware, the signals
containing the initial data set are processed to create a second
data set in such a manner that the information in the initial data
set, is extracted to thereby screen out undesirable data.
Thereafter, the extracted information is passed to the protected
system.
[0021] In the elementary version of the invention, the intermediate
domain computer hardware device (the IDD) may be a network
computer, a webtv unit, a single board computer (SBC), a
laptop/notebook computer, other personal computer (or the like), or
a specially designed chip which receives signals in any manner such
as broadcast signals or signals from a conventional telephone line
from an external domain site such as the internet or world wide
web. The incoming signals to the hardware device are routed (via
the IDD) to what is tantamount to a tv card associated with a PCI
bus of a computer system. The intermediate/domain device (IDD) in
the form of the webtv system transforms the incoming signals. Any
virus contained in the original signals can not survive the
transformation of the signal format from the signals originally
received, (such as by way of the telephone line), to the video
signals at the tv-card and thus the card supplies extracted
information to a connected computer which may be a personal
computer.
[0022] As a reduced function (manual) embodiment of the elementary
system, signals from the computer hardware device such as in a
webtv system may be conveyed to a conventional printer wherein the
signals are converted or transformed into a printed format which
may be preserved. By taking the printed format and transforming the
printed format into signals, such as by scanning, the information
can be provided from the printer to the input of a PC such that
only the extracted information without any viruses is passed to the
personal computer or host system. In both the foregoing scenarios,
the virus (or other forms of hostile code) can not survive the
signal transformation within the intermediate domain system.
[0023] As mentioned, as opposed to using the webtv unit, a single
board computer, laptop or notebook computer may be utilized to act
as the intermediate domain device. The laptop or single board
computer is connected to receive a signal such as through a
telephone line from the internet. The invention, however, is not
limited in its application to single point or individual host or
host systems. the host may be substantially any single receiving
information processor including main frame computers, information
networks including local and wide are networks (LANs and WANs) and
the like. Also, the computer hardware of the IDS is not limited to
single or individual computer elements but may be computer networks
and systems.
[0024] Any contamination of the IDS' intermediate domain from
system error or hostile executable code from external domains, is
easily corrected by a reset function, or a cold-boot from a clean
boot-disk. For some applications, this could be a recommended
periodic procedure. The IDS architecture insures that only data
that has gone through a modified-read process enters the host
(protected) system.
[0025] In another embodiment of the invention, the IDS is used to
safely update files stored in the host system. In this embodiment,
a file from the host is loaded to the IDS. The IDS also receives
information signals from the external domain and processes the
signals in a modified-read to thereby convert the signal to change
an initial data set to a second data set in such a manner as to
extract the information from the second data set and updates the
file loaded from the host and thereafter forwards the safely
updated file to the host. In this manner all updating of files is
done in a manner in which the host files can not be
compromised.
[0026] In yet another embodiment, the invention provides a
screening of all outgoing signals from the host or protected system
to the IDS so as to ensure that only permitted information is
transmitted.
[0027] The present invention is especially directed to the use of a
computer hardware device embodied as a modified
single-board-computer (MSBC). The modified singleboard-computer is
configured to operate as an add-in card to the system in which it
resides. The MSBC is programmable and multi-functional, permitting
its host system to achieve advanced/enhanced operational
capabilities including but not limited to the following:
[0028] reliability and performance monitoring;
[0029] advanced operational fault-tolerance;
[0030] security fault-tolerance;
[0031] dynamic reconfiguration for optimal security and
performance;
[0032] processing engine for advanced computation-intensive
applications (i.e. asymmetric cryptography, neutral networks,
multi-sensor applications, real-time process control); and
[0033] front-end processor for secure inter-networking.
[0034] As an add-in card, multiple MSBC devices can exist within a
host system, thus increasing the security, performance, and
capability of that host system. Thus a "multiple systems within
systems" architecture is both feasible and practical.
[0035] Different embodiments of the MSBC are provided with respect
to processing power or peripheral port connectors which generally
reflect the application for which the MSBC is employed. All
embodiments of the MSBC are configured to reside on the
expansion-bus of the hosting system. In a first embodiment, a
standard SBC is configured/modified to operate as an add-in card on
the expansion-bus (sometimes referred to as the I/O bus) of a
computer type device. In this embodiment, several applications are
possible, including performing as a front-end processor or
Intermediate Domain Device as defined below, a PCMCIA (Personal
Computer and Memory Card International Association) bridge module,
a neutral-network based process controller, or a performance
enhancement module.
[0036] In accordance with the present invention, an
information-system/computer hardware device is provided for
enabling processing and transceiving of information, exchanged
between a protected host system and an external information source,
wherein the information is contained in a data set carried by a
signal while any undesirable data is prevented from reaching the
protected host system. The information-system/computer hardware
device includes:
[0037] a) means for processing and transceiving information signal
traffic including a means for processing the signals containing an
initial data set so as to extract the information from that initial
data set and to form a second data set containing the information
and thereby screening out undesirable data,
[0038] b) means for connecting computer system peripheral devices
thereto;
[0039] c) means for controlling computer system peripheral devices
connected to itself;
[0040] d) means for interfacing to an expansion-bus of the host
system in such manner as to operate as a conventional add-in card
to the host system; and
[0041] e) means for connecting external information sources thereto
and for controlling a flow of signal traffic between such external
information sources.
[0042] In another embodiment, the MSBC is configured with the means
to monitor and control other MSBC devices, wherein the other MSBC
devices reside internal to, or external from, the system hosting
the monitor and control MSBC. The monitoring MSBC has the means to
detect and deactivate compromised MSBC devices it is monitoring,
and attempt repair operation by initiating reset type processes in
the compromised MSBC devices. The monitor and control MSBC can
activate and deactivate other MSBC devices for dynamic
reconfiguration type operations including fault-tolerance
maintenance, performance level adjustment, and security
maintenance.
[0043] In a further embodiment the MSBC is configured to perform as
an advanced, high-performance, encypherment engine on the
communication link of its host system. This embodiment of the MSBC
is connected to the communication device of the host and to the
external network. Several such MSBC devices can be cascaded, to
enhance performance and functionality. The MSBC encypherment engine
provides the processing power to efficiently implement encypherment
techniques such as asymmetric cyphers, steganography, and other
forms of computational-resource intensive encypherment methods.
[0044] In a yet another embodiment, the MSBC is configured to
operate as a graphic accelerator and video server. In this
embodiment, the MSBC operates as a real-time video server/buffer
for video telephony applications thus reducing the adverse impact,
of telephone network packet switching, on video telephony
applications. The quality of such transmissions (and host video
subsystem operations) is also enhanced by the additional processing
power of the MSBC (including multiple MSBC devices, if required by
the application) dedicated to the operation of the video
subsystem.
[0045] It is the primary object of the present invention to provide
a method and apparatus which protects a host system from
contamination by preventing external signals from entering the
protected host system permitting safe "information" exchange
between the host and possibly hostile external domains and, in some
embodiments, also preventing inadvertent and/or unauthorized
release of data from the host system.
[0046] These and other features, advantages, and attainments of the
present invention will become apparent to those skilled in the art
upon a reading of the following drawings wherein there is shown and
described illustrative embodiments of the invention.
BRIEF DESCRIPTION OF THE DRAWINGS
[0047] In the course of the following detailed description,
reference will be made to the attached drawings in which:
[0048] FIG. 1 is an illustration of a prior art firewall
configuration wherein a protected system is connected to an
external system via an intervening firewall arrangement consisting
of a gateway function processor surrounded on either side by a
router function;
[0049] FIG. 2 illustrates an intermediate domain screen (IDS)
device of the present invention separating an internal or host
domain, that is protected by the invention, and an external domain
that might be hostile and/or corrupted;
[0050] FIG. 3 illustrates an arrangement of several IDS devices in
accordance with the invention, each of which use an authentication
process for mutual identification, thus forming a secure network
overlaying an intervening public or unprotected network;
[0051] FIG. 4 illustrates another embodiment of the invention,
wherein an IDS is configured to protect several internal domains
from corruption or compromise by an external domain;
[0052] FIG. 5 diagrams the modified-read process executed by the
invention of FIG. 2;
[0053] FIG. 6 illustrates a basic or elementary version of IDS of
the invention;
[0054] FIG. 7 illustrates the generic logic structure of the
invention; and
[0055] FIG. 8 illustrates a multi-function embodiment of the
invention.
[0056] FIG. 9 is an illustration of a prior art
single-board-computer (SBC) device wherein the bus arbitrate
capability of the SBC is enabled and controls all other devices
connected to a passive backplane in which the SBC resides;
[0057] FIG. 10 illustrates a modified SBC (MSBC) device wherein the
bus arbitration capability is disabled, thus forcing the (MSBC) to
operate as a standard add-in card to the system in which it
resides;
[0058] FIG. 11 illustrates an (MSBC) device configured to monitor
and control other (MSBC) devices;
[0059] FIG. 12 illustrates an (MSBC) device/devices configured to
operate as a communications link encipher device for its host
system; and
[0060] FIG. 13 illustrates an (MSBC) device/devices configured to
operate as video subsystem enhancement device for its host
system.
DETAILED DESCRIPTION OF THE INVENTION
[0061] The invention has several fundamental embodiments which are
described in the following sections. Other embodiments are derived
from these fundamental embodiments. The term "domain" is used
throughout this document. "Domain" is defined as a system or
network or set of systems or networks. The term "router" refers to
a computer that selects and implements, at the software level,
data-paths from one location to another in a computer network. Also
the term "signal" is used synonymously with data, data sets, files,
messages, packets, protocol sequences, etc. throughout this
document, to stress generality. Signals, as referenced herein,
refer to any information carrying quanta, such as electromagnetic
current, lightwaves, which are processable by information system
technology. It is fundamental to realize that data, data sets,
control commands, etc., are manifested as electronic signals and/or
electro-optic signals and that information systems and networks
transform and transceive such signals, and that the invention as
described more fully below, operates at this fundamental signal
level.
[0062] Prior Art Attempts
[0063] Referring to FIG. 1, there is illustrated a prior art
firewall arrangement. An ordinary gateway function module 1 sits
between two filtering routers 3 and 4. One router 3 is connected to
an internal network 5 and the gateway 1. The other router 4 is
connected to an external network 6 and the gateway. These modules
and especially their software must interact in an error-free and
complex fashion to enforce a security policy for information
transfer between the internal network and the external network.
Since these modules primarily implement a filtering function 2,
which implies that externally generated signal traffic will enter
the internal network. Such traffic may be contaminated, and thus
compromise the internal network. All methods in current practice
are software based, and operate on a framework derivable from that
depicted in FIG. 1. Generally, software cannot be "trusted" to
function correctly, where Atrusted@ is defined to include provable
correctness in structure, compilation, installation, operation.
Also hacking and other types of intrusions attack the software of
the networks that are targeted. A prime example is the Internet
where intrusions, hacking, web-site compromise, and other forms of
software misuse are rampant.
[0064] Hardware-Based InfoSec Provided by the Present Invention
[0065] Referencing FIG. 2, the intermediate domain screen (IDS) 10
of the present invention is a hardware system composed at least
three (3) and in some embodiments of four (4) generic hardware
components. The basic components are an IntermediateDomain-Device
(IDD) 12, an external domain socket 14, and an IDS to internal
domain socket 13. A fourth hardware component is an internal domain
to IDS socket 17. The sockets can take the form of conventional
modem type devices including special purpose signal processing and
signal transfer components such as video, wireless communication,
integrated telephony, and facsimile cards and the like,
programmable systems or devices such as single board computers
(SBC), smart digital signal processors, embedded systems and the
like, large mainframes, local and/or wide area networks
(LANs/WANs). The invention physically and logically separates an
internal domain 15 from an external domain 16. The internal domain
can range from a single system such as a personal computer or web
site to a network, as can the external domain. The internal domain
is the domain being protected by the invention, and is referred to
as the host or protected domain. Each of the sockets 13, 14 and 17
can be implemented as a set of sockets. Socket 13 allows only
specific types of signals or data sets to inter the host 15. Socket
17 performs a filter or guard function between the host 15 and the
IDS, to restrict and control the release of signals from the host
15. The IDD 12, acts as a confinement domain for external signals
or data sets carried by incoming signals, thus preventing viruses
(and other forms of hostile code) contained in the external signals
from entering the protected domain or host. The IDD provides an
intermediate domain for safe information interchange between the
internal-domain/host 15 and the external domain 16. This
interchange includes execution of external programs, Internet
access such as web browsing, updating internal-domain programs and
software, which have been sent, via socket 17, to the IDD by a host
filtering or selection process residing in the IDD for updating
and/or other interaction with the external domain. The IDD executes
an "information-preserving-data-transformation" process to extract
necessary information from external signals and transmits such
information, via socket 13, to the host 15. This process is called
a modified-read (M-R), and in conjunction with socket 13 insures
that only uncontaminated signals or data sets are transmitted to
the host. Socket 13 transmits only signals that have undergone the
(M-R) process.
[0066] The socket components 14, 13 and 17 must not communicate
directly with each other in an IDS configuration. This could
facilitate unauthorized data transfers. All data transfer must be
monitored by the IDD 12. As an example; to insure this, a bus
request pin of a network interface card, NIC, embodying socket 14
must be deactivated, i.e. grounded. This results in a (partially
connected) hardware architecture. In many instances, InfoSec
concerns must also include the possibility of compromise from
within. Such compromise can be malicious, or inadvertent. The
inadvertent compromise can result from system malfunction and/or
user/operator error. In the data flow control framework, the
unauthorized release of information as a result of such compromise
is addressed by the invention, wherein the IDS can restrict host 15
users, i.e. insiders, to specific, controlled functions relative to
the external domain 16. Socket 17 operation supplies a filter or
guard function, the purpose of which is to prevent unauthorized
release of data or information from a protected host. In this
respect, the socket 17 may include a single board computer which is
programmable to filter or screen signals passing from the host to
the IDD so that only authorized or releasable data is allowed to
enter the IDD from the host.
[0067] Large environments, such as networks are typical
applications for versions of the IDS. Thus advanced, sophisticated
filtering type functions can be implemented. Depending on the
processing power of the component chosen to implement the IDD 12,
the filter function can range from a simple template-matching query
filter to highly sophisticated, adaptive, cognitive, content
analyzing, auto-classifier type capabilities. As a hardware system,
the IDS 10 physically separates its host computer systems from an
external system or network at the signal level. Thus, all viruses,
worms, and other forms of hostile executable code contained in
external signals or data sets are prevented from entering the host
system, because all external signals are confined to the IDD 12.
The IDS receives data, some of which might possibly be contaminated
from external domains, extracts the "information" contained in this
data, and safely transmits such "information" to the protected host
15.
[0068] Basic versions of the IDS implement a video-transformation
modified-read process. This is a signal level (information
preserving) data transformation. No outbound data or signal path
from the host system exists. Thus unauthorized clandestine or
inadvertent transmission of host data, is prevented. In the
programmable IDS versions where signals are transmitted from the
host, a comprehensive generic processor-based intermediate domain
is provided which can be used with smart adaptive InfoSec agent
programs capable of hostile-penetration countermeasure type
functions. These functions include adaptive classifiers, session
encryptors, and e-mail (payload) encryption functions, for safe
transit of outgoing IDS data.
[0069] All IDS versions can also reside remotely from their host
system. Such versions can be configured to protect several host
systems simultaneously. The IDS architecture easily accommodates
IDS to host encryption (i.e. end-to-end encryption) to protect data
in transit through public networks linking the host and the IDS.
Hybrid versions of the IDS which implement a modified-read (M-R)
function to remove hostile data from incoming data streams,
simultaneously implement a filter function, to prevent unauthorized
data exflltration from the host. The hybrid version combines any
set of IDS versions to screen incoming traffic and outgoing
traffic. It thus allows the host safe and simultaneous connectivity
to domains of different security levels. In addition, the IDD,
intermediate domain device can be set to control the host systems.
In this mode of operation, the IDD becomes an administrative
control device to selectively restrict host system access to the
external domains (e.g. the Internet) and/or to confine signals
incoming from external domains.
[0070] Referencing FIG. 3, a network IDS 10, as defined in FIG. 2,
is shown protecting a set of internal domains 15, 15', etc. The IDS
10 device includes programmable systems and includes an
authentication processor 18 to implement a
device-identification-number (DIN) authentication process to verify
the identity and authorized presence of another IDS 10', or other
device such as hosts 15, 15' in the network. The IDS 10' device
includes an authentication process 18'. The communications
subsystem of an IDS can use a DIN in the same manner that people
use a PIN (personal identification number), with a bank card. DIN
equipped IDS devices can operate a hardware-level inter-device
authentication process. This DIN authentication process is operated
during the initial handshake and randomly during a communications
session, between IDS devices and/or other DIN equipped devices. A
DIN can be variable, for added rigor. This process permits
authorized network nodes/stations to identify any unauthorized
and/or possibly malfunctioning nodes in a network. The IDS uniquely
implements this process at the signal level of a network. Further,
the DIN is encyphered by its IDS, for secure transit to other IDS
devices. Thus, the process is invisible to hackers and other
disrupters who operate at the software levels of a network. In the
network shown, host 15 is connected to IDS 10 through outgoing
socket 17 and incoming socket 13 while IDS 10 is connected to the
external domain 16 through socket 14 and to networked IDS 10'. IDS
10' is connected to the external domain, or another external
domain, through socket 14' and through host input socket 13' to
host 15' and socket 17' from host 15'.
[0071] Referring to FIG. 4, the IDS architecture can utilize video
teleconferencing technology. In this embodiment, an IDS 20 is
defined, utilizing desktop video conference (DVC) technology. As a
brief background, operational interface standards for DVC are
evolving. Generally the standard designations are as follows:
[0072] H. 320 .fwdarw.DVC over the ISDN/POTS telephone
environment
[0073] H. 323 .fwdarw.DVC over LAN environment
[0074] T. 120 .fwdarw.Collaborative Computing (e.g. Whiteboarding)
The majority of present DVC capabilities address either H.320
(telephone domain) or H.323 (LAN domain) either (or both) of which
is the external domain 26 from which signals are received by an IDS
20. We now consider a DVC capability which addresses both the LAN
and the telephone domains. Such a capability will permit
simultaneous LAN and telephone domain connection. Conceivably, a
user could connect to a classified LAN, and the Internet,
simultaneously. Most InfoSec policies would forbid such
simultaneous connectivity. In FIG. 4, a LAN/phone capable DVC
device such as a PictureTel 550 is used in an IDS 20. The IDD 22 of
the invention contains a LAN/phone DVC card. Generally, the DVC
card is a peripheral-device to the system containing it. The DVC
card also is obviously an external (interface) socket 24 for the
IDS. A videoswitch 23a is used to pass information to internal
(protected) domains 25 and 25'. This switch is thus a socket to the
internal domains. Each internal domain communicates with the IDS
20, in a remote-control DVC mode through receiver sockets 23 and
23'. This can be achieved by a simple whiteboarding-function which
is a standard feature, that can permit one computer system to
control another. Specifics would be driven by the T.120 standard
and the particular devices used for implementation. By the video
teleconferencing process, the information or original data set
carried by signals from the external domain is processed through
the IDD DVC card 24 so that the original data set is, at the
output, a second data set from which information is extracted and
is sent to the host domain in a video format. This conforms to the
modified-read requirements for IDS operation. For applications
where the unauthorized leakage/exfiltration of internal data, is of
major concern, it should be remembered that the IDS 20 architecture
via socket 27 forces all outbound signals from internal domains
into the IDD 22. Signals in the IDD can be reviewed, manually
and/or automatically for authorization, prior to interaction with
external signals. This is a form of insider control. The IDS
permits components to be remotely located. Also, the IDS can be
remotely connected to its host system, with no reduction in the IDS
ability to protect the host system. The IDS architecture is modular
and thus permits modular maintenance and modular upgrade without
adverse impact on the protection capability. As an example, for IDS
applications using video signals, an advanced
tv-cardlvideo-signal-receiver can detect and filter unauthorized
and/or undesired data signals imbedded in a video, e.g. tv signal
transmissions. Such video receivers will, in their IDS function,
isolate all incoming transmissions from program execution domains
of the protected host system.
[0075] Referencing FIG. 5, a fundamental modified-read (M-R)
process is illustrated. The modified-read operation deals with
information transfer. Possibly contaminated signals and the data
they carry are received from an external domain 37 via the extended
interface socket 34 of an IDS 30. In this example, the transfer is
between a control module 31 and an external-interface-module (EIM)
32 of the IDS 30 which is, for example, a single board computer
(SBC), embedded microprocessor (EMB) or embedded micro-controller
(EMC) personal computer. The bus control signals from the EIM are
restricted so that an EIM cannot, relative to the main IDS bus 33,
become bus master and thus initiate data transfer. This is
accomplished by disabling (e.g. grounding) the appropriate main IDS
bus/(IDD internal communications segment) control signals from the
EIM s internal interface.
[0076] The modified-read operation functions as follows:
[0077] IDS Control Module (CM) 31 scans the external request buffer
of EIM 32 and checks request pending flag (note: EIM main memory
contents must remain in the EIM, to confine possible
contamination). If a request is pending, set read flag in the
execution buffer file (EBF) 35. EIM 32 continually scans for read
flag in EBF 35.
[0078] If read flag is set, the modified-read process is initiated
to process the incoming signal from the external domain such as by
a facsimile process, a conversion to video format process, or a
printed format process.
[0079] When the modified-read sequence is complete, EBF 35 ready
flag is set and the control module 31 transfers EBF 35 to main
memory, for processing.
[0080] The above sequence defines the information transfer within a
modified-read operation. The actual external data, which may be
contaminated, never leaves the EIM 32. Information in the EBF 35 is
transferred through socket 36 to the protected domain 38.
[0081] From the command of the control module, the EIM 32 will
transfer its main memory contents to the probe memory (or holding
area) in the CM 31. Subsequent steps are as follows:
[0082] Probe functions of the CM 31 builds an execution buffer file
(EBF) 35. This is a coded representation of relevant (to the IDS
function) contents of the EIM's main memory. This EBF 35 is what is
actually transferred from the EIM 32 into the control module 31 of
the IDS, for insertion into the IDD-to-internal domain socket 36.
This process acts as an electronic air-gap, blocking the transfer
of possibly contaminated data.
[0083] The IDD 40 via the CM 31 acts on the EBF 35. The EBF format
and contents are unknown to external domains 37, and inaccessible
from these domains. The EBF is transferred to the protected domain
38 via socket 36.
[0084] The CM 31 returns status, response to requests, flush
commands, etc. to the EIM. Actual CM 31 responses are obviously
application specific. The EBF, constructed by the EIM probe
function, must conform to a proper set of
[0085] EBF patterns/sequences authorized and recognized by the CM.
Contaminated external data never leaves the EIM 32. This condition
is enforced by allowing no raw external data to leave the EIM,
in-bound to a protected system 38.
[0086] A prime modified-read (M-R) objective is to prevent
inadvertent or externally controlled execution of hostile code.
Secondary objectives include forcing internal user deliberate
interaction for execution of received external executable code. The
following guidelines should be used for M-R implementation:
[0087] Incoming binary (including executable) data strings
must:
[0088] a) be modified to an alternate binary (non-executable)
format;
[0089] b) be treated as non-executable data (e.g. text data) by the
receiving system; and
[0090] c) be transformed, preserving information, but alternating
data strings.
[0091] Incoming data stream (binary) must not re-appear in the
system (without direct user action).
[0092] Transformation properties (at receivers) must:
[0093] a) be known to external data transmitter;
[0094] b) not have an inverse derivable by transmitter (thus
eliminating cryptography); and
[0095] c) map data stream into machine usable format. By way of
Example:
[0096] Take binary data stream;
1000111010010100001111010111-(d.sub.b) Transformation
T.sub.i.linevert split..sub.iEN+
[0097] Then:
[0098] for example; . . . f.sub.i (0), f.sub.i(1). .
.=T.sub.i(d.sub.b)
[0099] T.sub.i(d.sub.b);T.sub.iT.sub.i.sup.-1.noteq.I no inverse
exists (where I is an identity transformation)
[0100] T.sub.i(d.sub.b).noteq.(d.sub.b) no unity, (for all i)
[0101] T.sub.i(d.sub.b) is processable only in non-executable
domains of the receiving system.
[0102] By way of example, the modified real process may include the
use of a facsimile machine to receive the incoming signal which may
contain hostile data. The signal from the external domain is
converted to print data which is a non-executable format at the
receiving domain. The facsimile signals are scanned in, including
by software, and forced into non-executable format for receiving
domain processing.
[0103] The two primary InfoSec issues are first that possibly
contaminated raw data does not enter the protected domain. Second,
the incoming bit stream, the data virtual carrier, is not
reproduced inside the protected domain. This second requirement is
addressed by not using a direct inverse of the sending facsimile
transformation. The information extraction transformation must not
be an inverse of this original facsimile transformation. For some
applications, an additional but not necessary safeguard would be
restricting external knowledge of the actual recovery
transformation used for the protected domain. If we view the
original facsimile transformation as the transport transformation,
and the scanning or print formation function as the recovery
transformation, the general examples following could serve as
transport/recovery transformation pairs:
[0104] EBCIDIC/ASCII
[0105] Font.sub.i/font.sub.j
[0106] Fax.sub.i/Fax.sub.j(where Fax.sub.j.noteq.Fax.sub.i)
[0107] text format/video format
[0108] text format/printer format
[0109] digital/analog
[0110] digital format.sub.i/digital format.sub.j(where
digital.sub.i.noteq.digital.sub.j)
[0111] signal format.sub.i/signal format.sub.j(where signal
format.sub.i.noteq.signal format.sub.j)
[0112] The Hamming Distance between the bit representation of one
character, in the transport transformation, to its equivalent
representation in the recovery transformation could, in some
instance, serve as a measure of appropriateness for transformation
pairs. Obviously, other transformation pairs and acceptability
metrics could be derived.
[0113] The IDS process permits necessary information exchange
between host computer systems and an external network without
intrusion of (possibly corrupted) external data signals into the
host. The modified-read process is a universal virus, worm, hostile
executable code eliminator. This signal level, modified-read
process operates below the software layer of a system. Thus, the
process is not dependant on prior knowledge of hostile data
structures (unlike conventional software-based anti-virus type
packages) to neutralize such hostile data. This neutralization
function is a primary host protection mechanism used by the
IDS.
[0114] Referring to FIG. 6, a television signal based version IDS
42 is disclosed. The host-system 45 is a Packard Bell PLT 2240
personal computer system. The external-domain 46 is the
lntemet/world-wide-web. Any PC or network of PC's can be protected
in this manner. The intermediate domain device (IDD) 47 is a webtv
system, for example Phillips/Magnavox MAT960A1 Internet Unit. The
IDS 42 permits commercial off the shelf components to be used in
their normal expected usage scenarios, without modification of any
kind. As further illustration of this point, a television (PCI bus)
card 48 (for example a Hauppauge 401 card) of the host system is
connected to the webtv system unit. These are signal transformation
processes that are implemented for the required modified-read
process of the IDS. Such processes isolate all incoming signals
from program execution domains of the host system, while making the
"information content" of the incoming signals available to the host
system 45. InfoSec integrity of the host is thus maintained.
[0115] As shown in FIG. 6, the tv card 48 transforms the output of
the IDD 47 to a format different from that of the external domain
46 and which is processable by the host 45. Also shown in the
drawing figure is an actual television 49 which is connected to an
input of the television card 48 and which is utilized to verify
that a true television signal is being received at the card thus
insuring the correct operation of the tv card. As opposed to
sending a signal from the webtv 47 to the television card 48, other
signal transformations are possible, for example the signal can be
outputted to a facsimile machine or printer 41 from the webtv IDD
47. The printer constitutes a signal transformation processor which
preserves the information in a printed format as received from the
webtv IDD 47. The preserved transformed signals of the print copy
from the printer 41 can be scanned by a scanner 44 to create a
transformed signal which can be provided to the host system 45. A
standard telephone 43 is also shown in the drawing figures and is
utilized to check operation of the communications link between the
IDS 42 (including the webtv system 47) and the external domain
46.
[0116] With continued reference to FIG. 6, the invention may also
be used to protect the host during the updating of host system
files. As shown, the host 45 may be connected at socket 50 such
that files from the host can be downloaded to the IDD 47 of the IDS
42. In this embodiment, (which excludes use of a webtv type IDD)
the file information is retained in a file buffer in the IDD. The
IDD receives signals from the external domain and processes the
signals as described in FIG. 5 with respect to IDD 40 to thereby
perform the modified-read process and obtain signals having a
different data set. Information is extracted from the initial data
set in such a manner as to derive a second data set which is then
sent to the file buffer to update the file information downloaded
from the host 45 and the updated file is thereafter forwarded as a
tv signal to the socket or tv card 48 of the host. Thus, the file
of the host is updated without any undesirable data being
transmitted to the host system. In some embodiments no host to IDD
socket exists. Thus, no signal path for exfiltration of the domain
signals is available. With the protected system thus isolated from
cyberspace and/or other hostile domains, it can be safely connected
to a classified domain/network without danger of compromise to that
classified domain.
[0117] The intermediate domain system of the present invention is a
system within a system type architecture wherein such systems and
subsystems may be activated and deactivated to achieve maximum IDS
functional flexibility. As an example, if the IDS is implemented to
reside internal to his host, the host interface module is
activated. If the IDS is implemented to reside external to the
host, a communication subsystem linked to the host/internal domain
is used to embody an outgoing socket between the protected host and
the IDS similar to socket 17 of FIG. 2. In either case, the
modifiedread subsystem includes the incoming socket from the
external domain.
[0118] With reference to FIG. 7, the IDS operation will be
described in detail. A data set, possibly contaminated, is received
by the communication subsystem where it is important to note that
the data set is carried in a signal format as previously discussed
and the signal format may also be corrupted. The processing data
flow controller subsystem accesses the received data set and
determines if it is program and/or control data that must be
executed. If program execution is required, the data set is
transferred to the external processing domain (of the IDD) for
execution and the results of the execution are returned to the
processing data flow controller subsystem for transfer to the
modified-read subsystem. If no program execution is required, the
processing data flow controller subsystem transfers the data set to
the modified-read subsystem directly. The modified-read subsystem
operates as described with respect to the embodiment of FIG. 5
discussed above.
[0119] FIG. 8 illustrates a multifunction IDS configured for video
teleconferencing. The IDS chassis 51 is that of its host such as 45
of FIG. 6, if the IDS is implemented to reside internal to its
host. In this case, all add-in cards of FIG. 8 (i.e. cards 52a, 52d
52b, 52c, and 54; whereby card 52a is a modified single board
computer (SBC) and card 52d is a video capture card, card 52b is a
graphics accelerator, 52c is a sound card, card 54 is a modem type
embodying an external domain interface socket. The socket may be in
the form of a modem board or a network or cable interface type
card. The cards 52a, 52b, and 52c comprise the
intermediate-domain-device (IDD) of the IDS. As shown, an IDS can
reside internal to its host, if its SBC's interface to the host's
expansion bus is configured as an add-in card. The SBC 52a thus
uses only devices directly connected to it, and not those devices
connected to the host's expansion bus. For the case of an IDS
implemented to reside external to its host, the add-in cards reside
on the passive backplane of the IDS chassis 51. The SBC 52a
implementing the control module of the IDD, controls the IDS from
its slot on the IDS device's passive backplane. Cards 53 and 53a
form a socket, and are a tv card 53 and a sound card 53a both
residing in the host system's expansion bus. Socket 57 is a one-way
direct cable connect (DCC) link from the host system to the SBC and
is used for direct data transfers to the IDD. Modules 31, 32, 33
and 35 (from FIG. 5) reside in the SBC 52a . The internal hard
drive 62 is connected to the IDD's SBC 52a and resides in a bay in
the chassis 51 of the IDS or, the chassis of the host, if the IDS
resides internal to the host. A compact-disk (CD) drive 63, backup
tape drive 64, floppy disk drive 65, and the smart-card reader 66
can each reside internal to or external to the chassis 51, where
each device is connected to the IDD's SBC 52a , permitting the IDS
to operate as an independent system whether residing internal to or
external to its host. A joystick 67 as well as a microphone 68 are
connected to the IDD sound card 52c , to support telephony, video
telephony, network gaming, and video conferencing type functions.
In addition to its InfoSec functions (and those just mentioned),
the IDS is ideal as a special function platform, which frees the
host for simultaneous execution of other tasks. Video monitor (VGA)
signals 69, move from 52a to 52b to socket 53. Audio signals 70
move from 52c to socket 53a . This video and audio information
transfer is a video based modified-read process. Signals 72 and 73
are video and audio output from the host domain. Signals 71 from a
keyboard or mouse 75 are applied to the IDD's SBC 52a . Finally, a
video camera 74 necessary for video conferencing and video
telephony operations is connected to the card 52d of the IDS. Using
the teachings of the invention, all incoming signals from all input
sources such as to the modem 54 which receives signals from the
external domain 80, the camera 74, disk drive 63, tape drive 64,
floppy disk drive 65, smart card reader 66, joy stick 67 and
microphone 68, are processed through the cards 52a , 52b , 52c ,
52d acting as the IDD and are transformed so that the
host/protected domain remains safe and isolated from the external
signal source, which may be contaminated. If a
desktopvideo-conferencing (DVC) type card is used for an input
socket 54, instead of a standard modem, microphone and video camera
inputs could go directly to the DVC card. A V.90 standard (or
better) compatible modem is recommended for older telephone system
type videophone usage. Other, high bandwidth, high performance
modems and other communication type devices such as network
interface cards, cable system interface devices may be used to
embody socket 54. All external signals, contaminated or not, are
confined within the IDD.
[0120] Referring to FIG. 9, there is illustrated a prior-art single
board computer (SBC). In systems containing prior-articonventional
SBC devices 100, the SBC is the central control module for those
systems. The SBC performs the function of a motherboard, and
provides an on-board expansion-bus and connector ports 105, 105',
105" where peripheral devices can be connected to it. The SBC
normally resides in the passive backplane 104 of its hosting system
and via the bus arbitration means 103 (of the SBC), the activity of
other devices connected to the passive backplane is controlled by
the SBC. Thus, multiple SBC devices on the backplane of a system
would conflict especially in the bus arbitration function.
[0121] Modern SBC devices are powerful computer systems which could
greatly enhance the functional capability of other information
systems, if the SBC could be modified to operate as an add-in card
to its hosting system. As an example, bus arbitration conflicts can
be resolved by deactivation of the SBC device's bus arbitration
control signals. This is a primary modification needed for SBC
devices to operate as add-in cards, to their hosting system.
[0122] Referencing FIG. 10, an SBC 110 to be used as an IDD
residing internal to its' host, must be modified in the manner of
FIG. 10 wherein the bus control and arbitration signals 112 are
deactivated such as by grounding at 113 and the bus master/slave
signals 116, 117 and 118 are enabled such that the modified SBC
(MSBC) 100 interfaces to the host peripheral bus 104 as a standard
add-in card. The PCI bus specification is used in FIG. 10 to
illustrate this generic modification procedure. The modified SBC
retains its' internal/on-board connections 115, 115' and 115" to
which SBC dependent peripheral devices may be connected thus
forming a "system within a system" capability for the host.
[0123] When modifying the SBC for use in a "system within a system"
environment, the following procedures must be followed:
[0124] a) the SBC arbitration-control signals must be disabled to
prevent control arbitration of the protected systems expansion-bus
by the SBC;
[0125] b) enabling only the bus-master and bus target capability of
the modified SBC which respectively permits initiating and
reception of expansion-bus data set transfers; and
[0126] c) ensuring that the interface to the protected system's
expansion bus can not act as a bridge module between the protected
system's expansion bus and the IDD device's on-board local bus,
thus isolating on-board bus connected devices from the protected
system's expansion-bus connected devices and enabling a secure
"system within system" architecture.
[0127] The three generic modifications discussed above are achieved
for example when the protected systems expansion bus conforms to
the peripheral component interconnect (PCI) bus 104 by allowing the
modified SBC add-in card 100 functioning as the IDD to assert an
REQ# (a bus request) at 116 and to only receive GNT# (bus grant)
control signals 117, and ACK# (acknowledge) type signals 118 in a
PCI configuration, thus ensuring the IDD peripheral devices are not
directly accessible from the protected system's expansion bus. A
multiplicity of such modified SBC systems can be used in a single
IDD, to render that IDD extremely fault-tolerant, and dynamically
flexible.
[0128] Referring to FIG. 11, an embodiment 122 of the invention
configured to monitor and control a multiplicity of other
embodiments of the invention (as defined in FIG. 10) is
illustrated. The control function involves fundamentally, a reset
capability, and an activate/ deactivate capability. The reset
function/capability involves initiation of a "cold-boot" type cycle
(of start-up or initialization sequences) for the embodiments of
the invention that are being monitored. The activate/deactivate
function involves respectively, the means to "bring on-line" or
"take off-line" an embodiment of the invention that is being
monitored by the device type of FIG. 11. As an example operational
scenario, where a multiplicity of devices of the type in FIG. 10
are monitored by the device of FIG. 11, and are employed to control
inter-domain signal traffic flow, the reset function would be
automatically activated for all off-line devices, thus providing a
cleaning/scrubbing type function to remove any contaminants
received (by these off-line devices) from signals injected during
their previous on-line periods. Scrubbed/decontaminated off-line
devices would be activated if/when particular application
performance measurements dictate augmentation of the set of active
devices was necessary. Conversely, if performance measurements
dictated, active devices would be taken off-line to maximize
efficiency. Such performance measurements are continually taken by
the monitoring and control embodiment of the invention. The
invention has the means to analyze the performance measurements and
initiate the "application specific" appropriate action (related to
the multiplicity of devices it is monitoring) based on such
performance measurement analysis. Thus, fault-tolerance techniques,
security techniques, dynamic reconfiguration, advanced high-speed
communications and other advanced system performance and
reliability enhancement can be efficiently achieved, by use of the
invention defined in FIG. 11. As an example, the invention, coupled
with a high performance modem type device, could supply the
processing horsepower for payload encryption of IP packets in a
high-speed communications transceiving embodiment.
[0129] Generally, the embodiment of FIG. 11 contains the
deactivated bus interface signals 129, the bus master control
signals 116, 117, 118, which permit add-in card type operation on
the host system's expansion-bus 104, and sensor ports 123, 124, 125
which connect to the device/ devices (FIG. 10) being monitored.
This monitoring and control device embodiment 122 is programmable
and reconfigurable, and could operate with similar embodiments of
the invention.
[0130] Referring to FIG. 12, an embodiment 130 of the invention is
shown configured to operate as communication line encipher device
for its host system. The device 130 connects to the communication
subsystem of its host, generally via a modem type device 141, by
way of its host interface communications port 135. The external
domain interface port 136 can be linked to an external domain 140,
or to a cascade of like devices 130' via the host interface port
135' (and communications link 138) of the next device in such a
cascade. FIG. 12 illustrates two such devices in cascade, wherein
the second device 130' is connected to the external domain 140, via
its external domain interface port 136'. Each device of FIG. 12
exhibits the same generic structure. The host expansion-bus 104
hosts the cascade. The degenerate/basic cascade contains one
device. The bus arbitration signals 131 (of device 130), 131' (of
device 130') are disabled. Control system 132, 133, 134 (of device
130) and 132', 133', 134'(of device 130') permit the invention to
operate as an add-in card to its host. Peripheral devices ports
137a , 137b , 137c (of device 130) and 137a ', 137b ', 137c ' of
device 130' permit enhanced operational and functional capability
of the invention. Examples of such enhancements are efficient
asymmetric cypher processing for entire data units, steganography,
and other advanced cypher techniques.
[0131] Referring to FIG. 13, an embodiment 142 of the invention is
shown configured to operate as a video subsystem enhancement to its
host system. This embodiment of the invention has a VGA port 147 to
receive signals from the video subsystem of its host. This
embodiment connects to a video monitor type device via port 148.
Connectors 150, 150', 150" are for use of application specific
peripheral devices which can be employed for functional
enhancement. An identical device 142' is connected via waveguide
149 to peripheral port 150' of device 142, in this example. This is
an additional example of cascading (included in the FIG. 12
example), to further enhance the function of the host system's
video subsystem. In this example, the host expansion bus 104
interface for device 132 includes bus interface signals 144, 145,
146, and the deactivated bus arbitration control signals 143.
Peripheral ports 140 and 140", are also included in this example.
The invention has the means to support such advanced video
functions as scan-line-interleaving (SLI), data compression, signal
conversion (as is done with current TV/video-capture add-in cards).
The invention also has the means to support a plurality of
multimedia ports such as port 147, such that a composite of the
signals input to the plurality, is output via port 148.
[0132] An example application, in support of IP-video-telephony
type application, for the FIG. 13 embodiment of the invention is to
operate as a real-time local video server or packet buffer. The
Internet and the underlying public switch network route packets in
many indirect ways, to maximize network performance and
reliability. For conventional voice and data packets, this dynamic
routing has little adverse affect on user-perceived transmission
quality. Video, and video-telephony packets, however, have
extremely critical time sequencing requirements, if quality of
transmission is to be maintained. The invention has the means to
buffer such video packets, in such manner as to maintain
transmission quality (more accurately, re-establish transmission
quality) by using store and forward, interleaving type processing
techniques, and permitting local receiver/users to access the
received information as is done from a video server. The difference
here is the processing power and speed of the invention (modified
SBC) providing the means to perform such functions in what appears
to be real-time to users/receivers. Since this process is duplex
(or half-duplex) capable, enhanced interactive video telephony is
enabled.
[0133] Further, it is important to note that the invention
(modified single-board-computer (MSBC)) can be embodied as a
commercial SBC unit modified to operate on the expansion-bus of a
hosting system, as a PCMCIA (Personal Computer and Memory Card
International Association) type device, as a CardBus type device,
as a specially configured motherboard, as an embedded
micro-controller type device, as an ASIC (application specific
integrated circuit) device, or combination thereof, thus providing
maximum flexibility and utility. Additionally, a multiplicity of
such devices can be used, for example with one device functioning
as a communications front-end to another device. This illustrates
the scalable nature of the invention.
[0134] It is expected that the present invention and many of its
attendant advantages will be understood from the foregoing
description and it will be apparent that various changes may be
made in form, construction, and arrangement of the components and
modules thereof, without departing from the spirit and scope of the
invention or sacrificing all of its advantages, the forms
hereinbefore described being merely preferred or exemplary
embodiments thereof.
* * * * *